Companies in industries such as financial services and healthcare have long had to comply with regulations calling for stronger data privacy. Today, it seems like businesses in every sector are facing more stringent rules about data protection -- and enterprises should expect to see even more regulations on the horizon.
Also: Congress considers a national standard for data privacy
"No one knows what the next law will be or whether it will be a state, federal or even global one, but it seems inevitable that new regulations are coming," said Jason Rader, national practice director for security in the Cloud and Data Center Transformation division of insight, an IT service provider.
In response to privacy concerns sparked by Facebook's and Google's handling of user data, leading technology companies last year called on the US federal government to pass a national data privacy law similar to the European Union's General Data Protection Regulation (GDPR), Rader noted. And in February 2019, the US Government Accountability Office issued a similar recommendation. "This is an issue that isn't going away," he said.
Since every new regulation is likely to have new requirements, businesses should be building on the GDPR work they did to be prepared for the next round and avoid a fire drill to meet compliance deadlines, Rader said.
"They already have taken a hard look at their types of data and how they collect, store, and use it," Rader said. "Now they should be leveraging that momentum and taking things to the next level to understand the controls -- firewalls, encryption, policies, etc., -- that are in place, the rationale behind each control's selection, its maturity in adoption, and its effectiveness in operations."
Then, when the next requirement comes along, it will be easier to see if there is a gap. "This isn't new, but most organizations don't choose to proactively do it," Rader said. "That means they're putting time and effort into being compliant to a specific requirement and not looking at the bigger picture."
Organizations might have done everything they needed to do to be compliant with GDPR. But that probably has not made them any more secure, Rader said. "Every major breach I can think of was a company that was compliant to some standard," he said. "Taking a few extra steps in the process could have a material effect on an organization's overall security posture."
Companies will need to take new approaches to data classification as part of their efforts to be compliant with emerging regulations.
"Instead of just looking at [customer] data, how it's collected and used, and how it's potentially deleted -- like the GDPR exercise -- a more meaningful approach would be to understand the discreet data within the organization, the different levels of classification there should be, the controls that each type requires, how they're implemented, and how the user base is made aware of the handling instructions for each data type," Rader said.
Doing this would also answer the questions beyond whether an organization is compliant. "It would answer whether or not this data should be moved to a foreign data center or whether this workload can legally and safely be moved to the cloud," Rader said. "And this is where an agile organization wants to be."